Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Broken Hosts

ssingh5
Path Finder
‎12-22-2011 01:47 AM

How do i identfy & troubelshoot windows hosts which have not forwared any log to splunk within last 2 weeks ?

Tags (2)
0 Karma
Reply

Drainy
Champion
‎12-22-2011 02:28 AM

I am going to make an assumption that you are using the Universal Forwarder. If so there is a log called Splunkd.log inside Splunk/var/log/splunk/ which lists all the actions in the background.

Inside here it will list any connection problems it has had with regards to forwarding to indexers, it will also list if there are any files that it hasn't noticed any changes to and so hasn't forwarded (can always be a possibility).

If you use the deployment monitor app on the indexer it also has tools to allow you to identify forwarders that have sent less than average events or more than average.

Finally there is an app called SoS which you can install on the indexer which gives you greater visibility into what is happening on splunk with custom designed dashboards to summarize errors, warnings and potential problems.

If you find any specific errors then please feel free to update your answer and we can try some more advanced troubleshooting techniques if they aren't obvious

EDIT:
To change to the free license on an indexer or full version of Splunk follow these steps;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree#Switching_to_Free_from_...

And have a look here for some information on what the Universal Forwarder is;
http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Introducingtheuniversalforwarder

0 Karma
Reply

Drainy
Champion
‎12-22-2011 03:18 AM

Have you installed a Splunk indexer (the full Splunk) on each host and set it to forward to the main indexer? If so you will need to log onto the web gui and switch it to a free license. Splunk comes with a free trial license but after 60 or 90 days (Can't recall which) you have to change it to a free license, I'll update my answer with how to do this. Otherwise and to make life easier, you could install Universal Forwarders on the remote hosts

0 Karma
Reply

ssingh5
Path Finder
‎12-22-2011 03:14 AM

Thank you Draineh for this information, i have loged on to the host who has not sent any log from more then 2 weeks and checked the Splunkd logs and found the heug amount of errors which says "your license has expired. Log in as an Admin user to install a new license or switch to Splunk with a Free License".

Any suggestions on this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...